Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Feb 23, 2021 4:36:00 AM
Dec 24, 2016 8:15:29 AM
When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.
Environments:
- Qlik Sense Enterprise, all versions
When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy. The attributes depend on the implementation.
However, these User attribute(s) returned from the SSO provider are only kept for the user session and are not stored/persisted in the Qlik Sense Repository Database. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which is persisted to the database).
Resolution:
- Reference the attributes via user.environment.[attribute name] (not user.[attribute name])
- View the exact attributes returned from the SSO provider by examining the logs:
- Set the Proxy Audit Logs to the DEBUG level
- After enabling debug logging, the (Trace/Audit) Proxy logs will reveal the extracted attribute(s). No restart is required.
The default location for this log is in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\servername_Proxy_audit.txt
Example Headers that will be injected:
[X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess; role=Domain+Users; role=group5; ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]
- Set the Proxy Audit Logs to the DEBUG level
